From 2d6f810f226b4263b811c8bd18e1b9d1a0802d86 Mon Sep 17 00:00:00 2001
From: Jim O'Donnell <james.odonnell@dtc.ox.ac.uk>
Date: Mon, 10 Feb 2025 12:27:17 +0000
Subject: [PATCH] build: deploy pixel-driller API to staging (#254)

* build: deploy pixel-driller API to staging

Add pixel-driller to the nginx config and the staging docker-compose file.

* Add env vars, use hyphenated name

* Add missing semicolon

---------

Co-authored-by: Fred Thomas <fred.thomas@eci.ox.ac.uk>
---
 .../jamaica.infrastructureresilience.org      | 23 +++++++++++++++++++
 docker-compose.stage.yml                      | 14 ++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/deploy/etc/nginx/sites-available/jamaica.infrastructureresilience.org b/deploy/etc/nginx/sites-available/jamaica.infrastructureresilience.org
index f396d9e0..7ba44a27 100644
--- a/deploy/etc/nginx/sites-available/jamaica.infrastructureresilience.org
+++ b/deploy/etc/nginx/sites-available/jamaica.infrastructureresilience.org
@@ -25,6 +25,10 @@ upstream raster_tileserver {
         server 127.0.0.1:3003;
 }
 
+upstream pixel_driller {
+        server 127.0.0.1:3004;
+}
+
 # Set up rate limit
 limit_req_zone $binary_remote_addr zone=slow:10m rate=50r/s;
 
@@ -148,6 +152,25 @@ server {
 		add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
 	}
 
+	location /pixel {
+		# basic authentication - use htpasswd to add users
+		auth_basic "Access restricted";
+		auth_basic_user_file /etc/nginx/.htpasswd;
+
+		proxy_pass http://pixel_driller;
+		rewrite ^/pixel/(.+) /$1 break;
+		proxy_set_header Host $host/pixel;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+
+		# allow CORS with auth
+		add_header Access-Control-Allow-Origin "$http_origin" always;
+		add_header 'Access-Control-Allow-Credentials' 'true' always;
+		add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+		add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+	}
+
 	listen [::]:443 ssl ipv6only=on; # managed by Certbot
 	listen 443 ssl; # managed by Certbot
 	ssl_certificate /etc/letsencrypt/live/jamaica.infrastructureresilience.org/fullchain.pem; # managed by Certbot
diff --git a/docker-compose.stage.yml b/docker-compose.stage.yml
index ab21b37f..787a8b8d 100644
--- a/docker-compose.stage.yml
+++ b/docker-compose.stage.yml
@@ -1,7 +1,7 @@
 # Staging environment - as production except for domain
 services:
   frontend:
-    image: ghcr.io/nismod/jsrat-frontend:0.4.21
+    image: ghcr.io/nismod/jsrat-frontend:canary
     platform: linux/amd64
     build: ./frontend
     ports:
@@ -52,3 +52,15 @@ services:
       - TC_RESAMPLING_METHOD=nearest
       - TC_REPROJECTION_METHOD=nearest
       - TC_PNG_COMPRESS_LEVEL=1
+
+  pixel-driller:
+    image: ghcr.io/nismod/jsrat-pixel-driller:canary
+    platform: linux/amd64
+    build: ./pixel_driller
+    ports:
+      - "3004:80"
+    volumes:
+      - ./tileserver/stacks:/data
+    environment:
+      - PIXEL_STACK_DATA_DIR=/data
+      - LAYER_METADATA_PATH=/data/hazard_layers.csv